PGP users

Discussion in 'other security issues & news' started by ljc1174, Sep 6, 2002.

Thread Status:
Not open for further replies.
  1. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    This may already be known, but I haven't seen any posting on it, so forgive me if this is old news.
    I noticed a post with PGP and felt the need to share. I just noticed the link on my homepage for one of the news articles, anyway, like I said, if it's old and already known forgive my slowness.

    File-name flaw threatens PGP users

    Security-consulting firm Foundstone said Thursday that e-mail messages encrypted with the Pretty Good Privacy program can be used as digital bullets to attack and take control of a victim's computer.

    Because of a flaw in the way PGP handles long file names in an encrypted archive, an attacker could "take control of the recipient's computer, elevating his or her privileges on the organization's network," Foundstone said in an advisory.

    see link for complete story
    http://msn-cnet.com.com/2100-1001-956815.html?type=pt&part=msn&tag=cdf&form=base&subj=cn_fd
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Lori,

    No need to apologize - and thanks for posting! ;).

    IMHO NAI only screwed PGP - reason the more to stick to the old "Zimmermann" versions, like 6.5.1 or the .ckt versions.

    Things most probably will change for the better as new releases are concerned, now Zimmermann is involved once more, and NAI no longer being involved.

    regards.

    paul
     
  3. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    That was very informative Paul and Lori.I have heard of PGP,but I am not at all familiar with it.At any rate,I'll steer clear of that program for now.Thank you for the info.
     
  4. other members may be interested in this article.


    Underflow of búfer in PGP 7.1.1
    http://www.vsantivirus.com/vul-pgp711.htm

    By VSAntivirus Writing
    vsantivirus@videosoft.net.uy

    Warning of security: Underflow of búfer in PGP 7.1.1
    Original name: Remotely Exploitable Overflow Buffer in PGP
    Original date: 5/set/02
    Vulnerable application: PGP Corporate Desktop 7.1.1
    Severity: Burden
    Risk: Remote execution of revealed code and of passwords
    Reference: http://www.foundstone.com/advisories


    A new vulnerability in PGP (Pretty Good Privacy), the popular software of encriptación and coding, allows that an attacker can execute any code in remote form in the computer of that she has installed version 7,1,1 of this application.

    The fault takes place, because noncertifica PGP in all the cases, the length in the name of a file that it is processing.

    This allows that the program fails when the user tries to codify or to desencriptar a document with an excessively long name.

    An attacker could operate this fault in his favor, creating a file name of certain length and format, codifying the document with the public key of the victim, and soon commanding to him to this one this file like associate in an electronic message.

    When the victim tried to desencriptar this file, the excessively long name would surpass the size in the buffer assigned by PGP for its process, causing an underflow of búfer, and what is more critical, executing any code that the attacker has including.

    In certain conditions, this also allows to reveal the password of the attacked user, because the same one is at certain moment in memory, in flat format (that is readable), and is not erased if PGP is hung before it.

    An attacker can use some appropriate tool to capture and soon to be sent to if same these data.

    The attack takes advantage of one of the characteristics that make the cryptographic utilities like PGP so efficient and popular, the availability in Internet of lists with the public keys of the users.

    (more info at the link)
     
  5. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,402
    Location:
    North Carolina, USA
    Hello all,

    The best choice IMHO is to use PGP 6.5.8 ckt 09 beta 3. It is very stable (even on XP machines) and these vulnerabilities do not apply to this version.

    You can find it here:
    http://freepages.computers.rootsweb.com/~irfaiad/

    Regards,
    Kent
     
Loading...
Thread Status:
Not open for further replies.